Ref metaTagMessage "The page contains a CSP defined in a tag. Consider defining the CSP in an HTTP header if you can."

This shouldn't be an error if there is also a CSP HTTP header, because you can define multiple Content Security Policies, and each one will be enforced.

For example, I will often define a strict CSP in a HTTP header; then in the HTML <head>, I will define any <script> tags I need, then add a <meta> CSP (a second policy), which ensures no other JavaScript is defined (e.g. evil attacker finding a way to include a JavaScript file, that's on the allow-list, but should not be run on this page).

<meta http-equiv="Content-Security-Policy" content="script-src 'none'" /> <!-- No scripts after this -->

I've not tried this, but I assume /core/audits/csp-xss.js:143 could be changed with:

- if (cspMetaTags.length) {
+ if (cspMetaTags.length > 0 && cspHeaders.length == 0) {